IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Move OTP synchronization step to after counter writeback

Browse Source 
This prevents synchronization when an authentication collision occurs.

https://fedorahosted.org/freeipa/ticket/4493

Reviewed-By: Thierry bordaz (tbordaz) <tbordaz@redhat.com>
This commit is contained in:
Nathaniel McCallum
2014-09-19 12:18:34 -04:00
committed by Petr Viktorin
parent 9ba33971fa
commit 915837c14a
1 changed files with 7 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
daemons/ipa-slapi-plugins/libotp/libotp.c
View File

@@ -202,17 +202,6 @@ static bool validate(struct otptoken *token, time_t now, ssize_t step,
if (*second != tmp)
return false;
/* Perform optional synchronization steps. */
switch (token->type) {
case OTPTOKEN_TOTP:
tmp = (step - now / token->totp.step) * token->totp.step;
if (!writeattr(token, T("clockOffset"), tmp))
return false;
break;
default:
break;
}
}
/* Write the step value. */
@@ -222,6 +211,13 @@ static bool validate(struct otptoken *token, time_t now, ssize_t step,
/* Save our modifications to the object. */
switch (token->type) {
case OTPTOKEN_TOTP:
/* Perform optional synchronization steps. */
if (second != NULL) {
tmp = (step - now / token->totp.step) * token->totp.step;
if (!writeattr(token, T("clockOffset"), tmp))
return false;
token->totp.offset = tmp;
}
token->totp.watermark = step;
break;
case OTPTOKEN_HOTP: